The three types of online attackers

Patrick Lambert describes the three main groups of attackers that security specialists are guarding against.

As Internet access becomes more pervasive across the world, and each of us spends more time on the web, there's no question that our attack surface -- how 'juicy' a target we are -- grows as well. Attackers in turn take advantage of this, and they use every tool and technique they have to try and attack us. Hardly a week goes by without some news report about a new botnet, malware infection, or hacked website. Lists of user names and passwords get distributed on pastebin, or a company front page is found to have been injected with a piece of extra code that infects every visitor with some spyware, inciting them to spend a hundred bucks on a fake antivirus product. These things are now commonplace, and we barely think twice about them when we read the headlines. Administrators go out, restore the sites, clean the infections, and life moves on. Sometimes, if it's a big enough deal, the FBI or some other law enforcement agency will get a call, but then it's their problem. Hardly a thought goes out to who exactly is behind all these attacks, why they are happening, and where the attackers are. But a recent TED talk by Mikko Hypponen raised the question to the attendees, and suggested that there are three groups making these attacks.

Criminals

The first group is the one most of us probably think of when something like this occurs. It's the criminals, the organized crime gangs, those nasty people in other countries that want to steal our money or our company secrets. Indeed, this may well be the biggest and most active type of attacker out there, launching attack after attack against our personal and corporate networks. In his talk, Mikko showed a long list of photographs of people who had all become millionaires from doing online crimes. Whether it's installing key loggers on personal computers to steal credit card numbers, infecting web sites to show their fake drug ads, or taking down competitor websites. Everything can be done for a price, and since the vast majority are in Russia, China and other countries, it's hard to go after them. These aren't kids who just want to play around, or at least they aren't anymore. Back in the early 90s, the hot thing they did to show off were floods -- IRC floods -- or filling up that T1 connection to a chat server, kicking everyone out. That's how the bad guys had their laughs. But now, we're talking big money. Maybe it's even the same people, who knows? Now it's not about laughing at how many users you can disconnect from a sex chat room, it's about how many bucks you can steal from their bank accounts.

Hacktivists

The second group of attackers is much more recent, and only now starting to get into the public view: hacktivists. Those are people who believe in a cause, and want to do everything they can to see it through. The biggest name here is probably Anonymous, a group that could technically include anyone who has an axe to grind, and who can follow simple instructions. These attacks are very different. They are much less sophisticated. This is truly a case of online hacking brought to the masses. Here, all you need to do is follow a Twitter account, and when the call for action is given, you're sent to a page with a button that says click here. Your attack is then under way, and if the 200,000 followers click at the same time, no site in the world is going to survive long. It's been used more and more lately, like in the recent Megaupload case, when several government sites were brought down by hacktivists within a single day of the new 'operation' being called out. Interestingly enough, while the hacktivists are typically college students, or well meaning people who just want to send a message to the big corporations, or big governments, it's the criminal groups that benefit here. Who makes all these easy to use DDOS tools? Who provides those thousands of infected computers, ready to bring down any site you want, for a very reasonable price? The organized crime lords, of course.

Governments

The last group is perhaps surprising, or perhaps completely obvious -- it's the governments. There's no questions that many governments in this world spend a lot of resources on attack tools and personnel, and are actively launching online wars against their targets. Mikko talked about the well known story of East Germany forcing every typewriter owner to register themselves with the government, so that any piece of paper could be traced back to its creator, in case you would print out something they didn't like. The Western world was appalled to find out about that. Yet to this day, every single ink jet printer manufacturer encodes every single page we print from our personal printers so that they can be traced back to who printed it. But this is for security, to prevent people from printing money and such, so no one complains about it. But what about actual attacks? The government surely doesn't hack into corporations or individual computers? Again, of course they do. Just last year we read the whole story on how government agencies managed to infiltrate the Iranian nuclear facilities with Stuxnet, and how this couldn't have happened without first getting some critical pieces of information, such as driver signing codes, from manufacturing plants. But again, few people complained about that: what's a private signing key when you're talking about infecting an enemy's nuclear facility? Surely ultra-secretive government agencies wouldn't misuse it. Right?

Know your enemy

It's interesting how when we read most headlines about attacks and hacks, we immediately think about some kid in his garage, somewhere in a remote country, using cracking scripts to break into unpatched systems, when the truth is that it's hardly ever the case. It's far more likely to be sophisticated, well-funded millionaires, with multiple yachts, large screen TVs, and a vast network of computer experts, controlling the destiny of unpatched servers all over the world, and making a lot of money. Or it's hacktivists trying to make a point, probably completely unrelated to your particular machine, just borrowing its bandwidth to flood an 'evil' site. Or it's a government agency, on the hunt for some criminal -- at least we hope that's what they're paid for. In the end, it doesn't really change our situation as network admins or computer professionals; we still get to clean up the mess. But perhaps by actually understanding who is attacking us, we may stand a better chance to survive the attack with our shirts on.

Which group do you think is the biggest threat at the moment? The concept of hacktivism is relatively new -- are there any emerging threat groups you would add to this list?

About Patrick Lambert

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

Full Bio

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news community TideArt. He's always at the forefront of the latest happening in the world of technology. You can find
him online at http://dendory.net or on Twitter at @dendory.

I agree with the three types listed here. I also think that script-kiddies are a unique group as mentioned in an earlier comment, and that threats to privacy from the organizations we trust our data with, and from authorized end users can't be ignored either.
At an event I recently attended, the question came up about defining the line between cybercrime and cyberwar. The most intelligent response, IMO, is that it would be hard to define an act of war that isn't also a crime-- so where the rubber meets the road it is all cybercrime.
Similarly, malware is malware. The distinctions between the groups may matter some from a theoretical standpoint, or for security experts, but from an end user perspective an attack is an attack is an attack. As this paper points out (http://www.pcworld.com/article/246349/protect_your_pcs_in_2012.html), endpoints simply need to have adequate protection in place that can defend against the threat regardless of which "group" is perpetrating the attack.

While criminals, hacktivists and governments are certainly dangerous they are by no means the only types of online attacks. I describe this fourth type of online attack (on smart-protect) as the most dangerous as it is not targeted and it doesn't have even the concept of a guiding principle. From script-kiddies, to lurkers, to loners, to vandals and ordinary people learning new things that go bad. These are the 'real' problem online, these are the majority of the 50+k new threats that are born every single day.

What the public hears; "cybercriminals have broken into the FBI's computer network.. all is lost.."
What IT security people hear; "some kids tore down a poster the FBI had put up on a wall. It's back up now."
What I really love is talking about these three groups clearly rather than jumping on the mass-media hype-O-matic and blindly calling any of them "te Eveels Hax0rsez". Crime, Activists and Government have consistantly expanded into each new medium that we creative monkeys invent. It's still the same crime, activism and beaurocratic power-hunger that it's always been; we don't need to romanticize it or pump it full of emotional perspectives to sell more news blurbs and can't rational address the real problems when we do that.
(I also think Piracy should be limited to violent crime on the high seas not infringing copyright; yet another place where vested interests choose and malested a term to general emotional public outcry without thoughtful consideration.)